Data Loss Prevention

Where can I find information how to send incident data to ArcSight? Is this as simple as creating an email response rule for an incident? I looked at enabling the Syslog function, but this option seems to only be applicable to the system event, not incident data.  Any tips and best practices would be helpful.

Thanks, Margaret

You need to set up a Response Rule for your policy.  Easy as that.

Arcsight has a connector already developed for Symantec DLP.  Somewhere out there there is a guide from Arcsight which specifiies the exact format of the syslog message that should be set up in the DLP response rule if you are using that connector.

Regards,

~Keith

 Hi Margerate,

 You have the option to send severe Vontu system events to a syslog server. To do this you must modify the config\Manager.properties file.

NOTE: You can also configure Vontu to send email notifications of severe system events. For details, open the Vontu online help and go to Administration>System>Alerts>Alerts Overview.

To enable syslog logging:

1. Locate and open the config\Manager.properties file.

2. Uncomment the following lines:

#systemevent.syslog.host=
#systemevent.syslog.port=
#systemevent.syslog.format= [{0}] {1} - {2}
3. Type values for each of these parameters, as follows:

host—syslog server host or IP address
port—syslog server port number (default is 514)
format—log file message format. Specify one or more of the following indicators:
{0}—includes the name of the server on which the event occurred

{1}—includes a brief summary of the event

Kishorila, I'm looking to for solution to send Incident Information, not severe system alerts.  Do you know how to setup an response rule/ syslog to include DLP incident information?

Hi Margaret,

please find the below steps to do the same.

The Log to a Syslog Server response rule action logs the incident to a syslog server. These logs can be useful if you use a Security Information and Events Management (SIEM) system.

This response rule action is available for all types of detection servers.

You must integrate the Enforce Server with the syslog server to implement this response rule action.

• To configure the Log to a Syslog Server response rule action
• Configure a response rule at the Configure Response Rule screen.

Add the Log to a Syslog Server action type from the Actions list.

Enter the Host name of the syslog server.

Edit the Port for the syslog server, if necessary.

The default port is 514.

Enter the text of the Message to log on the syslog server.

Select the Level to apply to the log message from the drop-down list.

　The following options are available:

0 - Kernel panic

1 - Needs immediate attention

2 - Critical condition

3 - Error

4 - Warning

5 - May need attention

6 - Informational

7- Debugging

Save the response rule.

See Manage response rules.

Margaret -

1. Create a response rule (start with Smart Response for testing, move to automatic when it is working)

2. Choose "All: Log to a syslog server" 

3. Host is the server you have Syslog running on

4. Port is 514

5. Sample message field entry is below which will include a Hyperlink in the ArcSight event so your responder can log into the DLP console and go right to the correct DLP incident.

CEF:0|Symantec|DataLossPrevention|11.5|$POLICY$|$POLICY$|5|cs1Label=Sender cs1=$SENDER$ cs2Label=Recipient cs2=$RECIPIENTS$ msg=$RULES$ cn1=$MATCH_COUNT$ cn1Label=MatchCount cs3Label=IncidentSnapshot cs3=$INCIDENT_SNAPSHOT$ cs4Label=DLPSeverity cs4=$SEVERITY$ suid=$Employee Code$

6. Use the SmartConnector Configuration Guide for Vontu Syslog from ArcSight to configure ArcSight to properly parse the event. 

7. Once you have that working, replace $INCIDENT_SNAPSHOT$ with:

https://<ENFORCEHOSTNAME>/ProtectManager/IncidentDetail.do?value(variable_1)\=incident.id&value(operator_1)\=in&value(operand_1)\=$INCIDENT_ID$

to send a "url/link" for your ArcSight operator/analyst to the specific DLP incident that fired.

Goodluck - works great for me!

Bob.